The 30-minute incident-response readiness check
You don't need a tabletop to find your biggest gaps. Five honest answers will do it. Deloitte found 31% of family offices have no incident-response plan at all — start by making sure you're not one of them.
Work through these five questions out loud with whoever runs operations. If you can't answer one cleanly in a minute, that's a gap — and gaps in incident response are the ones that turn a contained event into a reportable disaster.
1. Is there a written plan — and does anyone know where it is?
Not "we'd call our IT person." An actual document that says what happens, in what order, when something goes wrong. If it lives only in someone's head, it doesn't exist under Reg S-P or the FTC Safeguards Rule, both of which require a written program. Pass: you can open the plan right now.
2. Who decides whether it's a notifiable breach?
This is the question that paralyzes firms mid-incident. Someone has to make the call on whether sensitive information was likely accessed — because that decision starts a 30-day notification clock under both Reg S-P (to customers) and the FTC Safeguards Rule (to the FTC, for 500+ consumers). Pass: a named person owns that determination, and knows the criteria.
3. Do you know your clocks?
If an incident were confirmed today, what are your deadlines, and to whom? Customers within 30 days? The FTC within 30 days? A state attorney general on a shorter timeline? Cyber-insurance notice within 72 hours to preserve coverage? Pass: you can name your applicable clocks without looking them up.
4. Could you actually recover?
Backups everyone assumes exist are the ones that fail when needed. When were yours last restored — not just run? Are they isolated from the network so ransomware can't reach them? Pass: you've tested a restore in the last 12 months and the backups are offline/immutable.
5. Who do you call — and is the list reachable offline?
In a real incident you need, fast: outside counsel, a forensics/IR firm, your cyber insurer's hotline, your bank's fraud desk, and key leadership. If that contact list lives only in the email system that just got compromised, you can't reach it. Pass: the call list exists on paper or somewhere off-network.
5 clean passes: you're genuinely ready — keep it rehearsed.
3–4: typical, and fixable in one focused engagement.
0–2: you'd be improvising during the worst hour of your year. Treat it as urgent.
The pattern in failures isn't ignorance — it's that no one ever made these decisions in advance, so they get made badly under pressure. A written plan and one rehearsal converts panic into procedure.
Turn the gaps into a plan
Securidigm builds your written incident-response plan, sets the notification clocks, and runs the tabletop so your team has done it once before it's real.
Request a confidential conversation →Securidigm provides advisory cybersecurity services and prepares draft documents. It does not provide an audit, a certification, or legal advice. This article is general information, not advice for your situation, and no outcome is guaranteed.